[Ach] git - cipher suites - proxy - thoughts

christian mock cm at coretec.at
Wed Nov 20 17:48:03 CET 2013

On Wed, Nov 20, 2013 at 03:07:03PM +0100, Ulrich Poeschl wrote:

> what I never thought about, was checking the ssl-connection that the
> proxy-appliance then negotiates with the real destination and I think
> that should be a point worth mentioning in the paper. you can have the
> newest shiny browser on your client, but if the intercepting proxy
> negotiates weak crypto you loose again AND: you won't notice it.

Definitely worth mentioning. I sniffed our Checkpoint FW-1 this week
and saw the following:

Cipher Suites:
  TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  TLS_RSA_WITH_RC4_128_SHA (0x0005)
  TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
  TLS_RSA_WITH_RC4_128_MD5 (0x0004)
  Unknown (0x01ff)

Ouch! (And you may now start putting on your tin foil hats WRT 0x01ff
and the Mossad ;-)


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list